Challenges associated with updating medical device software

Keeping software updated as new vulnerabilities continue to be discovered remains a major cybersecurity challenge for medical devices, said David Brumley, a professor of cybersecurity at Carnegie Mellon University and CEO of security firm ForAllSecure. Solving this persistent problem requires a fundamental shift in thinking, he said.

“The biggest thing we can hope for is an increase in the frequency of updates,” he said. “The traditional approach – and this was just a few years ago – was to build a medical device, get it certified and stay that way forever,” he said. “We know that is no longer the case.”

An important challenge for manufacturers and healthcare organizations is to make updates available and installed on devices as quickly as possible when new security vulnerabilities and other new software issues are discovered, he said.

“You can’t predict all the different things that will happen” in terms of vulnerabilities that might be discovered. “We can anticipate the need to quickly iterate and make them available to customers. So it’s a cultural change.”

In this audio interview with Information Security Media Group (see audio link below photo), Brumley also discussed:

  • Increased powers of the Food and Drug Administration regarding medical device cybersecurity and further actions of the agency;
  • Security considerations related to remote patient monitoring using consumer-grade medical devices and wearable health devices;
  • Privacy and security issues related to artificial intelligence and machine learning-enabled medical devices.

Brumley is a professor of electrical and computer engineering at Carnegie Mellon University and director of the CyLab Security & Privacy Institute. He has over 20 years of cybersecurity experience in academia and practice.